Mission:data Seeks NY PSC Declaratory Ruling Utilities Cannot Require Data Security Agreements For DER Providers Solely Using Green Button Connect
December 3, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
Mission:data Coalition petitioned the New York PSC to issue a declaratory ruling, "affirming its October 19, 2017 Order Establishing Oversight Framework and Uniform Business Practices for Distributed Energy Resource Suppliers in Case 15-M-0180 ('DER Oversight Order')," and specifically affirming "that the Commission expressly prohibits any utility offering Green Button Connect ('GBC') from requiring Distributed Energy Resource Suppliers ('DER Suppliers') to sign Data Security Agreements, and related documents such as a Self-Attestation of Information Security Controls (together, the 'DSAs'), as a condition of using GBC."
"A declaratory order is appropriate and necessary because there is a direct conflict between the Commission’s language in the DER Oversight Order and the utilities’ recently-imposed, extrajudicial requirement that DER Suppliers comply with the DSAs developed in this proceeding [Case 18-M-0376] as a condition of accessing customer data via the Green Button Connect platform. This directly contravenes the plain language of the DER Oversight Order that exempts DER Suppliers that use GBC from those cybersecurity requirements. The DER Oversight Order section that discusses data security requirements states clearly that 'This section does not impose any obligations on DER suppliers that do not request or receive data using EDI [Electronic Data Interchange]'. In other words, the DER Oversight Order specifically prohibits utilities from requiring DER Suppliers that do not use Electronic Data Interchange ('EDI') to abide by certain cybersecurity requirements. In violation of the DER Oversight Order, the Joint Utilities are currently requiring DSAs to be signed by DER Suppliers, regardless of the platform used or the type of data exchanged with DER Suppliers. Accordingly, Mission:data respectfully requests the Commission address and resolve this conflict by affirming the DER Oversight Order," Mission:data said in its petition
"Of importance to Mission:data is that ConEd, who is the first New York utility to offer GBC, also requires DER Suppliers wishing to use GBC, and not merely ESCOs that use EDI, to execute the DSAs. According to the Joint Utilities, the newly-finalized DSAs are meant to apply to all energy services entities ('ESEs'), not just ESCOs and their I.T. contractors. According to the final DSA dated August 16th, 2018, an ESE is an entity which 'includes but is not limited to ESCOs, Direct Customers, DERS and contractors of such entities...,'" Mission:data said in its petition
"By requiring the DSAs of DER Suppliers using GBC, ConEd’s actions contravene the plain language of the DER Oversight Order," Mission:data alleged in its petition
"The DSAs for ESCOs are onerous and inappropriate for DER Suppliers and will delay the development of the DER Supplier market to the detriment of consumers. Access to customer energy usage data via GBC is crucial for DER Suppliers to offer services," Mission:data said in its petition
Mission:data said in its petition that the Uniform Business Practices for DER Suppliers (UBP-DERS), adopted as part of the DER Oversight Order, states in Section 2C, Customer Data: "Applicability. This Section establishes practices for release and protection of customer information by distribution utilities or DSPs to DER suppliers using EDI."
Mission:data said in its petition that this section of the UBP-DERS further states, "This section does not impose any obligations on DER suppliers that do not request or receive data using EDI..."